# 



SUN-P4182 

CLAIMS 



What is Claimed is: 



1. <A method for remote incremental program verification, said method comprising: 
receiving content verified by at least one content provider, said at least one content 
provider including an applet provider, a device manufacturer, a device issuer and 
a truste^post-issuance installer, said content including at least one program unit, 
each programHinit comprising an Application Programming Interface (API) 
definition file andVi implementation, each API definition file defining items in 
its associated program\nit that are made accessible to one or more other program 
^Q^^units, each implementationHncluding executable code corresponding to said API 
definition file, said executable cfcde including type specific instructions and data, 
said verification including determinihg binary compatibility of earlier program 
unit implementations with later program unit implementations; 
installing said content on a resource-constrained advice; 
issuing said resource-constrained device to an end usefc and 
allowing post-issuance installation of verified content on ^d resource-constrained 
device by said trusted post-issuance installer, said post-installation occurring after 
said issuance. 
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2^The method of claim 1 wherein said verification further comprises: 

Receiving a second version of said first program unit implementation and a second 
version of said first program unit API definition file, said second version being a 
revised version of said first version; 
verifyingysaid second version of said first program unit implementation, including 
indicating a verification error when said second version of said first program unit 

implementation is not internally consistent; and 
indicating a verification error when said second version of said first program unit 
implementation is inconsistent with said second version of said first program 
unit API definition file; and 
^verifying said second version of said first program unit implementation is binary 
compatible with said first version of said first program unit implementation, 
including indicating a verification error when said first version of said first 
program unit API definition filers incompatible with said second version of said 
first program unit API definition file\ 

3. The method of claim 2, further comprising: 

indicating a verification error when a second program unit implementation that 

references said first program unit is inconsistent w^th said first version of said first 

program unit API definition file; and 
indicating said second program unit implementation is verified with said second 

version of said first program unit API definition file when saicKsecond version of 
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said first program unit implementation is compatible with said first version of said 
first\program unit implementation. 

4. The method of claim 3, further comprising: 

indicating said second program unit implementation is verified with said second 
version of said fft^t program unit implementation when said second program 
unit implementation^ verified with said second version of said first program 
unit API definition file. 

5. The method of claim 2 wherein said ffrst version of said first program unit API 
definition file is binary compatible with said second version of said first program unit 
API definition file when said second version of said first program unit API definition 
file includes a superset of each element in said fif^t version of said first program unit 
API definition file. 



6. The method of claim 2 wherein 

said trusted post-issuance installer verifies a new program uni£\and 
said trusted post-issuance installer installs said verified new prograqi unit on said 
resource-constrained device. 
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7. The method of claim 6 wherein post-issuance verification is performed on a resource- 
rickdevice. 

8. The metho<rof claim 6 wherein post-issuance verification is performed on a terminal 
device. \ 



9. The method of claim 6 Mierein said verification is performed by the provider of said 
new program unit. \ 

10. The method of claim 6 wherein saiX verification is performed by said applet provider. 

1 1 . The method of claim 6 wherein said verification is performed by said device 
manufacturer. \ 

12. The method of claim 6 wherein said verification is performed by said device issuer. 

13. The method of claim 6 wherein said verification is performed! by said applet provider 
and said device manufacturer. \ 

14. The method of claim 6 wherein said verification is performed by said atoplet provider 
and said device issuer. \ 
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15. Ttoe method of claim 6 wherein said verification is performed by said device 
manufacturer and said device issuer. 



16. The methociof claim 6 wherein said verification is performed by said applet provider, 
said device m^mfacturer and said device issuer. 



17. The method of claim 6\wherein said verification is performed by said applet provider, 
said device manufacturer>said device issuer and said trusted post-issuance installer. 

18. The method of claim 6 wherein said verification is performed by said device 
manufacturer, said device issuer ancksaid trusted post-issuance installer. 



19. The method of claim 6 wherein said verification is performed by said device 
manufacturer and said trusted post-issuance installer. 



20. The method of claim 6 wherein said verification is performed by said device issuer 
and said trusted post-issuance installer. 



21. The method of claim 6 wherein post-issuance verification is perfi^med on a resource- 
rich device. 
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22. The method of claim 6 wherein post-issuance verification is performed on a terminal 
svice. 

23. A method^fqr remote incremental program verification, said method comprising: 
5 receiving conterhsverified by at least one content provider, said at least one content 

provider including an applet provider, a device manufacturer, a device issuer and 
an untrusted post-issuance installer, said content including at least one program 
unit, each program unit comprising an Application Programming Interface (API) 
definition file and an implementation, each API definition file defining items in 
its associated program unit that aretoade accessible to one or more other program 
units, each implementation including e\ecutable code corresponding to said API 
definition file, said executable code includW type specific instructions and data, 
said verification including determining binary compatibility of earlier program 
unit implementations with later program unit implementations; 
installing said content on a resource-constrained device; 



issuing said resource-constrained device to an end user; and 
allowing post-issuance installation of verified content on said resoifcrce-constrained 

device by said untrusted post-issuance installer, said post-installatiop occurring 

after said issuance. 



20 



77 



SUN-P4182 

24\^he method of claim 23 wherein said verification further comprises: 

Receiving a second version of said first program unit implementation and a second 
sversion of said first program unit API definition file, said second version being 
a revised version of said first version; and 
verifying said second version of said first program unit implementation, including 
determiningvwhether said second version of said first program unit 

implementation is internally consistent; and 
determining whether said second version of said first program unit 

implementation fs consistent with said second version of said first program 
unit API definition rile; and 
verifying said second version of said first program unit implementation is 
binary compatible with said first version of said first program unit 
implementation by comparing, said first version of said first program unit 
API definition file and said second version of said first program unit API 
definition file. 




25. The method of claim 24, further comprising: 

determining whether a second program unit implementation that references said first 
program unit is consistent with said first version of saicKfirst program unit API 
definition file; and 

indicating said second program unit implementation is verified with said second 

version of said first program unit API definition file when said second version of 



78 



SUN-P4182 



said first program unit implementation is compatible with said first version of said 
\ first program unit implementation. 

26. The metrW of claim 25, further comprising: 

indicating^aid second program unit implementation is verified with said second 
version oKsaid first program unit implementation when said second program 
unit implementation is verified with said second version of said first program 
unit API definition file. 

27. The method of claim 24 whereinssaid first version of said first program unit API 



definition file is binary compatible with said second version of said first program unit 
API definition file when said second ver&on of said first program unit API definition 
file includes a superset of each element in said first version of said first program unit 
API definition file. \ 

28. The method of claim 24 wherein \ 

said untrusted post-issuance installer verifies a new program unit; and 
said untrusted post-issuance installer installs said verified newWogram unit on said 
resource-constrained device. \ 
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29. toe method of claim 24 wherein post-issuance verification is performed on a 
resource-rich device. 



30. The method o| claim 24 wherein post-issuance verification is performed on a terminal 
device. 



31. The method of claim 24 wherein said verification is performed by the provider of said 
new program unit. 



32. The method of claim 24 wherein said verif^ation is performed by said applet 
provider. 

33. The method of claim 24 wherein said verification is perfbt^med by said device 
manufacturer. 



34. The method of claim 24 wherein said verification is performed by said device issuer. 



35. The method of claim 24 wherein said verification is performed by said applet provider 
and said device manufacturer. 
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3(\. The method of claim 24 wherein said verification is performed by said applet provider 
said device issuer. 



37. The method of claim 24 wherein said verification is performed by said device 
manufacturer and said device issuer. 




38. The method of claim M wherein said verification is performed by said applet 
provider, said device manufacturer and said device issuer. 



lib 39. The method of claim 24 whereinsaid verification is performed by said applet 

provider, said device manufacturer^said device issuer and said untrusted post-issuance 
installer. 



15 



40. The method of claim 24 wherein said verification is performed by said device 
manufacturer, said device issuer and said untrustecl post-issuance installer. 



41. The method of claim 24 wherein said verification is performed by said device 
manufacturer and said untrusted post-issuance installer. 

20 42. The method of claim 24 wherein said verification is performed by st^id device issuer 
and said untrusted post-issuance installer. 
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43. The method of claim 24 wherein post-issuance verification is performed on a 
^source-rich device. 

44. The method of claim 24 wherein post-issuance verification is performed on a terminal 
device. 




45. A program storage device readable by a machine, embodying a program of 

instructions executable by\he machine to perform program verification, comprising: 
receiving content verified by at^east one content provider, said at least one content 
to provider including an applet piWider, a device manufacturer, a device issuer and 

a trusted post-issuance installer, saM content including at least one program unit, 
each program unit comprising an Application Programming Interface (API) 
definition file and an implementation, eacHNkPI definition file defining items in 
its associated program unit that are made accessible to one or more other program 
15 units, each implementation including executable coa& corresponding to said API 

definition file, said executable code including type specific instructions and data, 
said verification including determining binary compatibility of earlier program 
unit implementations with later program unit implementations; 
installing said content on a resource-constrained device; 
20 issuing said resource-constrained device to an end user; and 
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allowing post-issuance installation of verified content on said resource-constrained 
dayice by said trusted post-issuance installer, said post-installation occurring after 
said issuance. 



46. The program storage device of claim 45 wherein said verification further comprises: 
receiving a second versmn of said first program unit implementation and a second 
version of said first program unit API definition file, said second version being a 
revised version of said firstVersion; 
verifying said second version of saiV first program unit implementation, including 
indicating a verification error when said second version of said first program unit 
implementation is not internally consistent; and 
/ indicating a verification error when said second version of said first program unit 
implementation is inconsistent with said second version of said first program 
unit API definition file; and 
verifying said second version of said first program unit implementation is binary 
compatible with said first version of said first program unirdmplementation 
including indicating a verification error when said first versiorkof said first 
program unit API definition file is incompatible with said secondyersion of said 
first program unit API definition file. 
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47. The program storage device of claim 46, further comprising: 

indicating a verification error when a second program unit implementation that 

references said first program unit is inconsistent with said first version of said first 

progranNinit API definition file; and 
indicating said seosmd program unit implementation is verified with said second 

version of said first program unit API definition file when said second version of 

said first program unitsimplementation is compatible with said first version of said 

first program unit implementation. 



4o 48. The program storage device of claim^, further comprising: 
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indicating said second program unit implementation is verified with said second 
version of said first program unit implementation when said second program 
unit implementation is verified with sai^ second version of said first program 
unit API definition file. 



20 



49. The program storage device of claim 46 wherein said first version of said first 

program unit API definition file is binary compatible witrksaid second version of said 
first program unit API definition file when said second versibn of said first program 
unit API definition file includes a superset of each element in s\id first version of said 
first program unit API definition file. 



84 



_ SUN-P4182 

50. The program storage device of claim 46 wherein 

saM trusted post-issuance installer verifies a new program unit; and 
said Busted post-issuance installer installs said verified new program unit on said 
resoutee-constrained device. 

51. The program storage device of claim 50 wherein post-issuance verification is 
performed on a resource-rich device. 

52. The program storage devicfe of claim 50 wherein post-issuance verification is 
performed on a terminal devic^. 

53. The program storage device of claim'Sp wherein said verification is performed by the 
provider of said new program unit. 



54. A program storage device readable by a machine^ embodying a program of 

instructions executable by the machine to perform ptogram verification, comprising: 
receiving content verified by at least one content provider, said at least one content 
provider including an applet provider, a device manufacturer, a device issuer and 
an untrusted post-issuance installer, said content including^ least one program 
unit, each program unit comprising an Application Programming Interface (API) 
definition file and an implementation, each API definition file atefining items in 
its associated program unit that are made accessible to one or moreyother program 
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a units, each implementation including executable code corresponding to said API 
definition file, said executable code including type specific instructions and data, 
said verification including determining binary compatibility of earlier program 
unit miplementations with later program unit implementations; 
installing said\content on a resource-constrained device; 
issuing said resource-constrained device to an end user; and 
allowing post-issuance installation of verified content on said resource-constrained 
device by said untrusted post-issuance installer, said post-installation occurring 
after said issuance. \ 

. The program storage device offclaim 54 wherein said verification further comprises: 
receiving a second version of said first program unit implementation and a second 
version of said first program unit API definition file, said second version being 
a revised version of said first vemon; and 
verifying said second version of said first program unit implementation, including 
indicating a verification error when saicNsecond version of said first program 

unit implementation is not internally consistent; and 
indicating a verification error when said second version of said first program 
unit implementation is inconsistent with saicksecond version of said first 
program unit API definition file; and \ 
verifying said second version of said first program unirdmplementation is 
binary compatible with said first version of said first program unit 
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implementation including indicating a verification error when said first 
version of said first program unit API definition file is incompatible when 

§id first program unit API definition file. 
l 55, further comprising: 
i second program unit implementation that 
it is inconsistent with said first version of said first 
; and 
implementation is verified with said second 



version of said first program unit API definition file when said second version of 
said first program unit implementation is compatible with said first version of said 
first program unit implementation. 



57. The program storage device of claim 56, further\omprising: 

indicating said second program unit implementation is verified with said second 
version of said first program unit implementation when said second program 
unit implementation is verified with said second version of said first program 



15 



unit API definition file. 



20 5 8. The program storage device of claim 55 wherein said first versionxrf said first 

program unit API definition file is binary compatible with said seconcl version of said 
first program unit API definition file when said second version of said fii^t program 
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umt API definition file includes a superset of each element in said first version of said 
first program unit API definition file. 

59. The prograiri^torage device of claim 55 wherein 
said untrusted po^issuance installer verifies a new program unit; and 
said untrusted post-isshance installer installs said verified new program unit on said 

resource-constrained ^evice. 

60. The program storage device of claim 55 wherein post-issuance verification is 
performed on a resource-rich device 

61. The program storage device of claim 55 wherein post-issuance verification is 
performed on a terminal device. 

62. The program storage device of claim 55 wherein said ^rification is performed by the 
provider of said new program unit. 

63. A system for executing a software application, the system comprising: 

a computing system that generates executable code, comprising means for 
receiving content verified by at least one content provider, said m least one 
content provider including an applet provider, a device manufacturer, a device 
issuer and a trusted post-issuance installer, said content including at least one 
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"TO 



program unit, each program unit comprising an Application Programming 
Interface (API) definition file and an implementation, each API definition file 
defining items in its associated program unit that are made accessible to one or 
more other program units, each implementation including executable code 
corresponding to said API definition file, said executable code including type 
specific instructions and data, said verification including determining binary 
compatibility of earlier program unit implementations with later program unit 
implementations; 
means for installing said content on a resource-constrained device; 
means for issuing said resource\eonstrained device to an end user; and 
means for allowing post-issuance installation of verified content on said resource- 
constrained device by said trusteckpost-issuance installer, said post-installation 
occurring after said issuance. 



15 64. The system of claim 63 wherein said verification further comprises: 

means for receiving a second version of said first program unit implementation and 
a second version of said first program unit API deniiition file, said second 
version being a revised version of said first version; 
means for verifying said second version of said first program\init implementation, 
20 including 

means for indicating a verification error when said second versibn of said first 
program unit implementation is not internally consistent; and 
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means for indicating a verification error when said second version of said first 
urogram unit implementation is inconsistent with said second version of 
safti first program unit API definition file; and 
means for verifying said second version of said first program unit implementation 
is binary compatible with said first version of said first program unit 
implementation including indicating a verification error when said first 
version of said first progi^m unit API definition file is incompatible with said 
second version of said first program unit API definition file. 



r 



65. The system of claim 64, further comprisingrs 

means for indicating a verification error whfen a second program unit 

implementation that references said first program unit is inconsistent with said 
first version of said first program unit API definition file; and 
means for indicating said second program unit implementation is verified with said 
second version of said first program unit API definition file when said second 
version of said first program unit implementation is compatible with said first 
version of said first program unit implementation. 



66. The system of claim 65, further comprising: 

means for indicating said second program unit implementation is verified with said 
second version of said first program unit implementation when said second 
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program unit implementation is verified with said second version of said first 
\ program unit API definition file. 

67. The system of claim 64 wherein said first version of said first program unit API 
definition me is binary compatible with said second version of said first program unit 
API definition me when said second version of said first program unit API definition 
file includes a superset of each element in said first version of said first program unit 
API definition file. \ 

68. The system of claim 64 wherein 

said trusted post-issuance installer verifies a new program unit; and 
said trusted post-issuance installennstalls said verified new program unit on said 
resource-constrained device. \ 

69. The system of claim 68 wherein post-issuanceVerification is performed on a resource- 
rich device. \ 

70. The system of claim 68 wherein post-issuance verification is performed on a terminal 
device. \ 
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1. The system of claim 68 wherein said verification is performed by the provider of said 
nfew program unit. 



72. The systerrKof claim 68 wherein said verification is performed by said applet provider. 




73. A system for executkg a software application, the system comprising: 

a computing systenrythat generates executable code, comprising means for 
receiving content Wified by at least one content provider, said at least one 
content provider including an applet provider, a device manufacturer, a device 
issuer and an untrusted post-issuance installer, said content including at least 
one program unit, each program unit comprising an Application Programming 
Interface (API) definition file ancran implementation, each API definition file 
defining items in its associated program unit that are made accessible to one or 
more other program units, each implementation including executable code 
corresponding to said API definition file, saidsexecutable code including type 
specific instructions and data, said verification including determining binary 
compatibility of earlier program unit implementation^ with later program unit 
implementations; 
means for installing said content on a resource-constrained device; 
means for issuing said resource-constrained device to an end user;\nd 
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means for allowing post-issuance installation of verified content on said resource- 
constrained device by said untrusted post-issuance installer, said post- 
installation occurring after said issuance. 

74. The system ordaim 73 wherein said verification further comprises: 

means for receiving a second version of said first program unit implementation and 

a second version of said first program unit API definition file, said second 

version being a revised version of said first version; 
means for verifying said second version of said first program unit implementation, 

including 

means for indicating a verification error when said second version of said first 

^ x 

U program unit implementation^ not internally consistent; and 

\ means for indicating a verification^or when said second version of said first 

\ 

program unit implementation is inconsistent with said second version of 

said first program unit API definition filV and 
means for verifying said second version of said firs\program unit implementation 
is binary compatible with said first version of said^first program unit 
implementation including indicating a verification enW when said first 
version of said first program unit API definition file is incompatible with said 
second version of said first program unit API definition file. 
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75. The system of claim 74, further comprising: 

sjneans for indicating a verification error when a second program unit 

implementation that references said first program unit is inconsistent with said 
first\ersion of said first program unit API definition file; and 
means for indicating said second program unit implementation is verified with said 
second versiorKpf said first program unit API definition file when said second 
version of said first program unit implementation is compatible with said first 
version of said first program unit implementation. 



76. The system of claim 75, further comprising: 

means for indicating said second program unit implementation is verified with said 
second version of said first program unit implementation when said second 
program unit implementation is verified \ith said second version of said first 
program unit API definition file. 
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77. The system of claim 74 wherein said first version of said first program unit API 
definition file is binary compatible with said second version ofsaid first program unit 
API definition file when said second version of said first programiinit API definition 
file includes a superset of each element in said first version of said fir^t program unit 
API definition file. 
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78.11ie system of claim 74 wherein 

saicruntrusted post-issuance installer verifies a new program unit; and 
said unthisted post-issuance installer installs said verified new program unit on said 
resourcevconstrained device. 

79. The system of claim\l wherein post-issuance verification is performed on a resource- 
rich device. 

80. The system of claim 74 wherein post-issuance verification is performed on a terminal 



device. 



9r. 



81. The system of claim 78 wherein said vesication is performed by the provider of said 
new program unit. 



82. A resource-constrained device, comprising: 

memory for providing content verified by at least on^scontent provider, said at least 
one content provider including an applet provider, aMevice manufacturer, a 
device issuer and a trusted post-issuance installer, said content including at least 
one program unit, each program unit comprising an Application Programming 
Interface (API) definition file and an implementation, each API definition file 
defining items in its associated program unit that are made accessible to one or 
more other program units, each implementation including executable code 
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corresponding to said API definition file, said executable code including type 
V specific instructions and data, said verification including determining binary 
compatibility of earlier program unit implementations with later program unit 
implementations; 

an installer device for installation of said content on said resource-constrained device, 
said installatiorkincluding installation of initial content and installation of 
additional content\by said trusted post-issuance installer after said resource- 
constrained device A issued to an end user; and 

a virtual machine that is capable of executing instructions included within said 
content. \ 

9- \ 

/ 83. The resource-constrained device of clh^m 82 wherein said resource-constrained device 
comprises a smart card. \ 

84. The resource-constrained device of claim 83 whetein said virtual machine is Java 
Card™-compliant. \ 

85. A resource-constrained device, comprising: \ 

memory for providing content verified by at least one content provider, said at least 
one content provider including an applet provider, a device manufacturer, a 
device issuer and an untrusted post-issuance installer, said content including at 
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bast one program unit, each program unit comprising an Application 
Programming Interface (API) definition file and an implementation, each API 
definition file defining items in its associated program unit that are made 
accessible\o one or more other program units, each implementation including 
executable coofe corresponding to said API definition file, said executable code 
including type specific instructions and data, said verification including 
determining binary compatibility of earlier program unit implementations with 
later program unit implementations; 
an installer device for installation of said content on said resource-constrained device, 
said installation including installation of initial content and installation of 
additional content by said untrusted post-issuance installer after said resource- 
constrained device is issued to an encNuser; and 
a virtual machine that is capable of executing\pstructions included within said 
content. 

86. The resource-constrained device of claim 85 wherein saickresource-constrained device 
comprises a smart card. 




87. The resource-constrained device of claim 85 wherein said virtual machine is Java 
Card™-compliant. 
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